Advertisement

Smart Contracts: A Killer Application for Deductive Source Code Verification

  • Wolfgang AhrendtEmail author
  • Gordon J. Pace
  • Gerardo Schneider
Chapter

Abstract

Smart contracts are agreements between parties which, not only describe the ideal behaviour expected from those parties, but also automates such ideal performance. Blockchain, and similar distributed ledger technologies have enabled the realisation of smart contracts without the need of trusted parties—typically using computer programs which have access to digital assets to describe smart contracts, storing and executing them in a transparent and immutable manner on a blockchain. Many approaches have adopted fully fledged programming languages to describe smart contract, thus inheriting from software the challenge of correctness and verification—just as in software systems, in smart contracts mistakes happen easily, leading to unintended and undesirable behaviour. Such wrong behaviour may show accidentally, but as the contract code is public, malicious users can seek for vulnerabilities to exploit, causing severe damage. This is witnessed by the increasing number of real world incidents, many leading to huge financial losses. As in critical software, the formal verification of smart contracts is thus paramount. In this paper we argue for the use of deductive software verification as a way to increase confidence in the correctness of smart contracts. We describe challenges and opportunities, and a concrete research program, for deductive source code level verification, focussing on the most widely used smart contract platform and language, Ethereum and Solidity.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Notes

Acknowledgements

The authors would like to thank Richard Bubel, Joshua Ellul, Raúl Pardo, and Vincent Rebiscoul for fruitful discussions about Solidity contracts and their verification.

References

  1. 1.
    A. Hern. $300m in cryptocurrency accidentally lost forever due to bug. Appeared at The Guardian https://www.theguardian.com/technology/2017/nov/08/cryptocurrency-300m-dollars-stolen-bug-ether. Nov. 2017.
  2. 2.
    T. Abdellatif and K. L. Brousmiche. “Formal Verification of Smart Contracts Based on Users and Blockchain Behaviors Models. In 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS). Feb. 2018, pp. 1–5.  https://doi.org/10.1109/NTMS.2018.8328737.
  3. 3.
    Wolfgang Ahrendt et al., eds. Deductive Software Verification—The KeY Book. Vol. 10001. LNCS. Springer, 2016.Google Scholar
  4. 4.
    Wolfgang Ahrendt et al. “The KeY Platform for Verification and Analysis of Java Programs”. In: STTE’14. Vol. 8471. LNCS. Springer, 2014, pp. 55–71. https://doi.org/10.1007/978-3-319-12154-3_4.Google Scholar
  5. 5.
    Nicola Atzei, Massimo Bartoletti, and Tiziana Cimoli. “A Survey of Attacks on Ethereum Smart Contracts (SoK)”. In: Proceedings of the 6th International Conference on Principles of Security and Trust. Vol. 10204. LNCS. Springer, 2017. ISBN: 978-3-662-54454-9. URL: https://doi.org/10.1007/978-3-662-54455-6_8.Google Scholar
  6. 6.
    Xiaomin Bai et al. “Formal Modeling and Verification of Smart Contracts”. In: Proceedings of the 2018 7th International Conference on Software and Computer Applications. ICSCA 2018. Kuantan, Malaysia: ACM, 2018, pp. 322–326. ISBN: 978-1-4503-5414-1. https://doi.org/10.1145/3185089.3185138. URL: http://doi.acm.org/10.1145/3185089.3185138.
  7. 7.
    Michael Barnett et al. “Boogie: A Modular Reusable Verifier for Object-Oriented Programs”. In: Formal Methods for Components and Objects, 4th International Symposium, FMCO 2005, Amsterdam, The Netherlands, 2005, Revised Lectures. Ed. by Frank S. de Boer et al. Vol. 4111. LNCS. Springer, 2006.Google Scholar
  8. 8.
    Bernhard Beckert, Vladimir Klebanov, and Benjamin Weiß. “Dynamic Logic for Java”. In: Deductive Software Verification—The KeY Book. Vol. 10001. LNCS. Springer, 2016.Google Scholar
  9. 9.
    Karthikeyan Bhargavan et al. “Formal Verification of Smart Contracts: Short Paper”. In: Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security. PLAS ’16. Vienna, Austria: ACM, 2016. ISBN: 978-1-4503-4574-3. https://doi.org/10.1145/2993600.2993611. URL: http://doi.acm.org/10.1145/2993600.2993611.
  10. 10.
    Lorenz Breidenbach et al. An in-depth look at the parity multisig bug. Appeared at “Hacking, Distributed” http://hackingdistributed.com/2017/07/22/deep-dive-parity-bug. June 2016.
  11. 11.
    Crystal Chang Din, Richard Bubel, and Reiner Hähnle. “KeY-ABS: A Deductive Verification Tool for the Concurrent Modelling Language ABS”. In: Automated Deduction - CADE-25. Springer, 2015.Google Scholar
  12. 12.
    Joshua Ellul and Gordon J. Pace. “CONTRACTLARVA: Runtime Verification of Ethereum Smart Contracts”. In: submitted for review. 2018.Google Scholar
  13. 13.
    Michael Fröwis and Rainer Böhme. “In Code We Trust?” In: Data Privacy Management, Cryptocurrencies and Blockchain Technology. Ed. by Joaquin Garcia-Alfaro et al. Vol. 10436. LNCS. 2017.Google Scholar
  14. 14.
    Luciano García-Bañuelos et al. “Optimized Execution of Business Processes on Blockchain”. In: Business Process Management. Ed. by Josep Carmona, Gregor Engels, and Akhil Kumar. Vol. 10445. LNCS. 2017.Google Scholar
  15. 15.
    Stijn de Gouw et al. “OpenJDK’s Java.utils.Collection.sort() Is Broken: The Good, the Bad and the Worst Case”. In: Computer Aided Verification - 27th International Conference, CAV 2015, San Francisco, USA, July 2015. 2015.Google Scholar
  16. 16.
    Guido Governatori et al. “On legal contracts, imperative and declarative smart contracts, and blockchain systems”. In: Artificial Intelligence and Law (Mar. 2018), pp. 1–33.Google Scholar
  17. 17.
    Ilya Grishchenko, Matteo Maffei, and Clara Schneidewind. “A Semantic Framework for the Security Analysis of Ethereum Smart Contracts”. In: POST. Vol. 10804. Lecture Notes in Computer Science. Springer, 2018, pp. 243–269.Google Scholar
  18. 18.
    Everett Hildenbrandt et al. KEVM: A Complete Semantics of the Ethereum Virtual Machine. White paper. 2017. URL: http://hdl.handle.net/2142/97207.
  19. 19.
    Yoichi Hirai. “Defining the Ethereum Virtual Machine for Interactive Theorem Provers”. In: Financial Cryptography Workshops. Vol. 10323. Lecture Notes in Computer Science. Springer, 2017, pp. 520–535.Google Scholar
  20. 20.
    Marieke Huisman et al. “Formal Specification with the Java Modeling Language”. In: Deductive Software Verification—The KeY Book. Vol. 10001. LNCS. Springer, 2016.Google Scholar
  21. 21.
    Florian Idelberger et al. “Evaluation of Logic-Based Smart Contracts for Blockchain Systems”. In: Rule Technologies. Research, Tools, and Applications. Ed. by Jose Julio Alferes et al. Vol. 9718. LNCS. Springer, 2016. ISBN: 978-3-319-42019-6.Google Scholar
  22. 22.
    Nikolai Kosmatov, Virgile Prevosto, and Julien Signoles. “A Lesson on Proof of Programs with Frama-C. Invited Tutorial Paper”. In: Tests and Proofs. Ed. by Margus Veanes and Luca Viganò. Springer, 2013. ISBN: 978-3-642-38916-0.Google Scholar
  23. 23.
    Martin Leucker and Christian Schallhart. “A brief account of runtime verification”. In: The Jour. of Logic and Algebraic Progr. 78.5 (2009). The 1st Workshop on Formal Languages and Analysis of Contract-Oriented Software (FLACOS’07), pp. 293–303. ISSN: 1567-8326.Google Scholar
  24. 24.
    Loi Luu et al. “Making Smart Contracts Smarter”. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. CCS ’16. Vienna, Austria: ACM, 2016, pp. 254–269. ISBN: 978-1-4503-4139-4. https://doi.org/10.1145/2976749.2978309. URL: http://doi.acm.org/10.1145/2976749.2978309.
  25. 25.
    Andrew Miller, Zhicheng Cai, and Somesh Jha. “Smart Contracts and Opportunities for Formal Methods”. In: ISoLA’18. LNCS. To appear. Springer, 2018.Google Scholar
  26. 26.
    Mix. Ethereum bug causes integer overflow in numerous ERC20 smart contracts (Update). Appeared at HardFork https://thenextweb.com/hardfork/2018/04/25/ethereum-smart-contract-integer-overflow/. Apr. 2018.
  27. 27.
    Wojciech Mostowski. “Verifying Java Card Programs”. In: Deductive Software Verification— The KeY Book. Vol. 10001. LNCS. Springer, 2016.Google Scholar
  28. 28.
    Bernhard Mueller. “Smashing Ethereum Smart Contracts for Fun and Real Profit”. In: HITB SECCONF Amsterdam. 2018.Google Scholar
  29. 29.
    Satoshi Nakamoto. “Bitcoin: A peer-to-peer electronic cash system”. 2009. URL: http://bitcoin.org/bitcoin.pdf.
  30. 30.
    Ivica Nikolić et al. Finding The Greedy, Prodigal, and Suicidal Contracts at Scale. Unpublished, submitted, available at arXiv:1802.06038. 2018.Google Scholar
  31. 31.
    Christoph Prybila et al. “Runtime Verification for Business Processes Utilizing the Bitcoin Blockchain”. In: CoRR abs/1706.04404 (2017). arXiv: 1706.04404. URL: http://arxiv.org/abs/1706.04404.
  32. 32.
    Haseeb Qureshi. A hacker stole $31M of Ether - how it happened, and what it means for Ethereum. Appeared at FreeCodeCamp https://medium.freecodecamp.org/a-hacker-stole-31m-of-ether-how-it-happened-and-what-it-means-for-ethereum-9e5dc29e33ce. July 2017.
  33. 33.
    Willem-Paul de Roever et al. Concurrency Verification: Introduction to Compositional and Noncompositional Methods. Cambridge University Press, 2001.zbMATHGoogle Scholar
  34. 34.
    Philipp Rümmer and Mattias Ulbrich. “Proof Search with Taclets”. In: Deductive Software Verification—The KeY Book. Vol. 10001. LNCS. Springer, 2016.Google Scholar
  35. 35.
    Ilya Sergey and Aquinas Hobor. “A Concurrent Perspective on Smart Contracts”. In: Financial Cryptography and Data Security. Ed. by Michael Brenner et al. Vol. 10395. LNCS. Springer, 2017.Google Scholar
  36. 36.
    Ingo Weber et al. “Untrusted Business Process Monitoring and Execution Using Blockchain”. In: Formal Techniques for Distributed Systems. Vol. 9850. LNCS. Springer, 2016.Google Scholar
  37. 37.
    David Z. Morris. Blockchain-based venture capital fund hacked for $60 million. Appeared at Fortune.com http://fortune.com/2016/06/18/blockchain-vc-fund-hacked. June 2016.

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Wolfgang Ahrendt
    • 1
    Email author
  • Gordon J. Pace
    • 2
  • Gerardo Schneider
    • 3
  1. 1.Chalmers University of TechnologyGothenburgSweden
  2. 2.University of MaltaMsidaMalta
  3. 3.University of GothenburgGothenburgSweden

Personalised recommendations